Watchtower: Vulnerable, weak, and reused passwords and Breach Report

Vulnerable, weak, and reused passwords
I am using 1Password in the browser (Chrome) and have discovered that Watchtower reports credentials such as four-digit pins for library accounts as both "vulnerable" and "weak" passwords. While 1Password is correct in identifying these security issues, I can do nothing about this as the institution preconfigures the requirements. This is a circumstance that I cannot change; I would find it beneficial to dismiss the banners that now show persistently on the item page. I defer to 1Password's security banners and notifications as a sign that I need to take action on something. When I see these banners on items that I can do nothing about, I have to mentally backtrack or add notes on the item page indicating that while, yes, 1Password is correct, this is something to disregard persistently. Thus, the banner's significance becomes degraded. After all, I now need to tell myself to ignore the message and do the mental gymnastics of figuring out which notification is essential and which notice bears no significance because my hands are tied. It would be beneficial if 1Password could implement a feature where someone who cannot take action on a said item could be marked as resolved or dismissed.

Further, it would be helpful if login entries could be marked as linked. There are some credentials I have stored that are linked across platforms. Continuing with the library example, Boston Public Library issues an eCard for library use. Through the Boston Public Library, patrons can register to join the library's organizational subscription to Lynda.com (LinkedIn Learning). Because access is extended by way of the Boston Public Library, patron library card credentials are used to access Lynda.com. Resultantly, 1Password indicated that I'd reused my credentials when I haven't; it's just that I am extended access to two different platforms connected by the same credentials. For the sake of organization and visual recognition, these have been set up as two separate logins. I would prefer not to unify them in one item page because they are two different platforms I need to access for differing reasons. It would be great if 1Password could implement a way for a user to indicate that these are linked credentials rather than reused credentials.

Breach Report
When I run a breach report, 1Password tells me there are logins I should add to my vault and change passwords for in order for the identified accounts to be safe. However, some of the items reported correspond to sites I may have engaged but never established accounts with. One example is evite.com. While I'm sure I never established an evite.com account, to be safe, I navigated to evite.com and attempted to perform a password reset. Evite.com returns that no such account exists for the credentials 1Password has reported to me. There appears to be no way for a user to resolve this within 1Password. As confirmed by evite.com, no such account exists for me to add to 1Password, and there is no action I'm able to take besides "creating" a login for a nonexistent account within 1Password to make the data breach report go away. I decided to pursue the path of establishing a login for the nonexistent evite.com account to get the breach report notification to disappear. At first, I was pleased because it appeared to have worked. Then, I decided to delete the login item because the account is, well, nonexistent. Unfortunately, 1Password now returns the same result—that I have vulnerable, nonexistent accounts to reconcile. A no-win situation.

The next account that I'm informed is compromised is one that does exist, and I reconciled the issue long ago. The credentials are updated in 1Password, and the URL that 1Password is returning as the cause for concern via the data breach report is the exact URL stored on the 1Password item page. It would again be useful for 1Password to implement the ability to mark something as reconciled and then dismiss the notification. Sometimes things are not what they seem, and that's okay. It would improve the 1Password user experience if the user could prevail in matters of common sense. In this instance, it is the fact that 1) I know these accounts don't exist and 2) I dealt with the credential issue, but 1Password isn't intelligent enough to know it because there isn't a way for me to inform 1Password of these facts.

I enjoy 1Password and have been using it personally since 2019. Just last month, I got my company to sign on for enterprise use, and I'm in the process of deploying 1Password Business across a global team. Now that I'm getting into the nitty-gritty of it all, I wanted to reach out to voice the opportunities for improvement I've noted throughout coming onboard as an organizational administrator.


1Password Version: 1Password.com
Extension Version: 1.23.1
OS Version: Windows 10
Sync Type: Not Provided
Referrer: forum-search:vulnerable and weak passwords

Comments

  • ag_ana
    ag_ana
    1Password Alumni

    Hi @arr009!

    I am using 1Password in the browser (Chrome) and have discovered that Watchtower reports credentials such as four-digit pins for library accounts as both "vulnerable" and "weak" passwords. While 1Password is correct in identifying these security issues, I can do nothing about this as the institution preconfigures the requirements. This is a circumstance that I cannot change; I would find it beneficial to dismiss the banners that now show persistently on the item page.

    Thank you for the feedback! I have passed it to our developers for consideration, I know that this is a request they are aware of, so I have added you to the list :+1:

    ref: dev/projects/customer-feature-requests#130

    Because access is extended by way of the Boston Public Library, patron library card credentials are used to access Lynda.com. Resultantly, 1Password indicated that I'd reused my credentials when I haven't; it's just that I am extended access to two different platforms connected by the same credentials. For the sake of organization and visual recognition, these have been set up as two separate logins. I would prefer not to unify them in one item page because they are two different platforms I need to access for differing reasons. It would be great if 1Password could implement a way for a user to indicate that these are linked credentials rather than reused credentials.

    The recommendation here is indeed to use a single login with two website URLs: if they are the exact same credentials, they are indeed the same thing from the perspective of 1Password, even if you use them on two different websites.

    Thank you also for the suggestions on the breach reports, I have logged those too :)

    ref: dev/projects/customer-feature-requests#483

  • arr009
    arr009
    Community Member

    Thank you, ag_ana!

  • ag_ana
    ag_ana
    1Password Alumni

    You are very welcome @arr009, I am happy to help :)

    If you have any other questions, please feel free to reach out anytime.

    Have a wonderful day :)

This discussion has been closed.